1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
| | This is a cherry-pick of three upstream commits that got lost in the
transition when Ganeti was donated to the community.
Submitted upstream: <https://github.com/ganeti/ganeti/pull/1494>.
diff --git a/lib/bootstrap.py b/lib/bootstrap.py
--- a/lib/bootstrap.py
+++ b/lib/bootstrap.py
@@ -934,6 +934,8 @@ def SetupNodeDaemon(opts, cluster_name, node, ssh_port):
constants.NDS_CLUSTER_NAME: cluster_name,
constants.NDS_NODE_DAEMON_CERTIFICATE:
utils.ReadFile(pathutils.NODED_CERT_FILE),
+ constants.NDS_HMAC:
+ utils.ReadFile(pathutils.CONFD_HMAC_KEY),
constants.NDS_SSCONF: ssconf.SimpleStore().ReadAll(),
constants.NDS_START_NODE_DAEMON: True,
constants.NDS_NODE_NAME: node,
diff --git a/lib/tools/common.py b/lib/tools/common.py
--- a/lib/tools/common.py
+++ b/lib/tools/common.py
@@ -184,6 +184,19 @@ def VerifyClusterName(data, error_fn, cluster_name_constant,
return name
+def VerifyHmac(data, error_fn):
+ """Verifies the presence of the hmac secret.
+
+ @type data: dict
+
+ """
+ hmac = data.get(constants.NDS_HMAC)
+ if not hmac:
+ raise error_fn("Hmac key must be provided")
+
+ return hmac
+
+
def LoadData(raw, data_check):
"""Parses and verifies input data.
diff --git a/lib/tools/node_daemon_setup.py b/lib/tools/node_daemon_setup.py
--- a/lib/tools/node_daemon_setup.py
+++ b/lib/tools/node_daemon_setup.py
@@ -51,6 +51,7 @@ from ganeti.tools import common
_DATA_CHECK = ht.TStrictDict(False, True, {
constants.NDS_CLUSTER_NAME: ht.TNonEmptyString,
constants.NDS_NODE_DAEMON_CERTIFICATE: ht.TNonEmptyString,
+ constants.NDS_HMAC: ht.TNonEmptyString,
constants.NDS_SSCONF: ht.TDictOf(ht.TNonEmptyString, ht.TString),
constants.NDS_START_NODE_DAEMON: ht.TBool,
constants.NDS_NODE_NAME: ht.TString,
@@ -127,11 +128,18 @@ def Main():
cluster_name = common.VerifyClusterName(data, SetupError,
constants.NDS_CLUSTER_NAME)
cert_pem = common.VerifyCertificateStrong(data, SetupError)
+ hmac_key = common.VerifyHmac(data, SetupError)
ssdata = VerifySsconf(data, cluster_name)
logging.info("Writing ssconf files ...")
ssconf.WriteSsconfFiles(ssdata, dry_run=opts.dry_run)
+ logging.info("Writing hmac.key ...")
+ utils.WriteFile(pathutils.CONFD_HMAC_KEY, data=hmac_key,
+ mode=pathutils.NODED_CERT_MODE,
+ uid=getent.masterd_uid, gid=getent.masterd_gid,
+ dry_run=opts.dry_run)
+
logging.info("Writing node daemon certificate ...")
utils.WriteFile(pathutils.NODED_CERT_FILE, data=cert_pem,
mode=pathutils.NODED_CERT_MODE,
diff --git a/src/Ganeti/Constants.hs b/src/Ganeti/Constants.hs
--- a/src/Ganeti/Constants.hs
+++ b/src/Ganeti/Constants.hs
@@ -4833,6 +4833,9 @@ ndsNodeDaemonCertificate = "node_daemon_certificate"
ndsSsconf :: String
ndsSsconf = "ssconf"
+ndsHmac :: String
+ndsHmac = "hmac_key"
+
ndsStartNodeDaemon :: String
ndsStartNodeDaemon = "start_node_daemon"
|